"The company said Salesforce initially provided a list of 3 impacted customers and that it has "expanded to a larger list" as of November 21, 2025. It did not reveal the exact number of customers who were impacted, but its CEO, Chuck Ganapathi, said "we presently know of only a handful of customers who had their data affected.""
"The development comes as Salesforce warned of detected "unusual activity" related to Gainsight-published applications connected to the platform, prompting the company to revoke all access and refresh tokens associated with them. The breach has been claimed by a notorious cybercrime group known as ShinyHunters (aka Bling Libra). A number of other precautionary steps have been enacted to contain the incident. This includes Zendesk, Gong.io, and HubSpot temporarily suspending their Gainsight integrations, and Google disabling OAuth clients with callback URIs like gainsightcloud[.]com."
"In an FAQ, Gainsight has also listed the products for which the ability to read and write from Salesforce has been temporarily unavailable - Customer Success (CS) Community (CC) Northpass - Customer Education (CE) Skilljar (SJ) Staircase (ST) The company, however, emphasized that Staircase is not affected by the incident and that Salesforce removed the Staircase connection out of caution in response to an ongoing investigation."
Gainsight disclosed that suspicious activity targeting its applications affected more customers than initially indicated, with Salesforce first listing three impacted customers and later expanding that list as of November 21, 2025. The exact number of impacted customers was not provided, though the CEO said only a handful had data affected. Salesforce detected unusual activity tied to Gainsight-published apps and revoked related access and refresh tokens. The breach was claimed by ShinyHunters (aka Bling Libra). Several vendors temporarily suspended Gainsight integrations and Google disabled certain OAuth clients. Gainsight listed affected products and both companies published indicators of compromise, including a flagged user agent string.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]